Security Measures for Small and Medium-Sized Enterprises – Threats to Hardware

Hardware Damaged During Transport

The transportation of information may present a major security concern, especially if the data is essential due to

Failure of IT or Communications Equipment

To prevent damage due to equipment failure, consider drawing up:

• an investment and renewal plan for IT equipment in accordance with the equipment’s life cycle (Draft and enforce a Sectoral policy on Physical and environmental security – Maintenance);
• a stock of IT equipment for networks (cables, switches, hard drives, etc.);
• increased redundancies to cut down on unavailability (RAID, load balancer).

Unusable Backups

The availability of backups as well as the possibility of restoring them are critical elements if you need them after an incident. To prevent any unpleasant surprises, be sure to:

• test the backup restoration procedure (Draft and enforce a Sectoral policy on Operational and communication aspects – Data backups);
• protect the backups against accidental, deliberate or environmental destruction (Draft and enforce a Sectoral policy on Physical and environmental security – Physical security perimeter and Rules within the perimeter);
• store the software and hardware needed to restore the backups in a safe place.

Addition or Removal of Hardware

A number of risks may arise from adding or removing hardware. Ensure that:

• access to the IT network is filtered and is subject to an authentication procedure (Draft and enforce a Sectoral policy on Access control – Access control policy and Access rights management and Connection procedures and External connections and Network separation);
• the IT network is segmented according to security requirements (Draft and enforce a Sectoral policy on Access control – Network separation);
• the insertion of removable devices (especially by USB) is subject to conditions or even prohibited entirely;
• users respect the Charter for the use of IT resources (Draft and enforce a Sectoral policy on Human resources – Training and information).

Device Recovery

Data is only completely lost once the media it was stored on has been destroyed. To avoid the recovery of scrapped devices containing sensitive information, special procedures must be used to render them inoperable (Draft and enforce a Sectoral policy on Physical and environmental security – Disposal and reuse of equipment). Make sure that:

• optical and magnetic data devices are destroyed (crusher or demagnetiser);
• shredders are made available to staff who work with sensitive data to destroy paper files;
• the staff are made aware of this practice (Draft and enforce a Sectoral policy on Human factors – Training and information).

Aggravated Theft

The high value of IT equipment, most of all mobile devices, make them a prime target for ill-intentioned people to steal. Equipment theft is nothing new, but the theft of information in the context of economic intelligence can be very profitable and security measures must be deployed, as follows: 

• encryption of laptop computers and tablets (Draft and enforce a Sectoral policy on System development and maintenance – Use of encryption);
• security awareness aimed at portable equipment users (Draft and enforce a Sectoral policy on Human factors – Training and information);
• backup and ad hoc protection of data stored on mobile devices or their centralisation within the organisation (Draft and enforce a Sectoral policy on Operational and communication aspects – Data backups);
• the measures presented to protect against the physical infiltration of the premises must be applied (Draft and enforce a Sectoral policy on Physical and environmental security – Physical security perimeter and Rules within the perimeter and Clean desk).